Web Application Security Introduction

This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) - It gives a
…

This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) - It gives a short motivation why Web Application Security is a high priority today and then goes through three of the most prominent vulnerabilities of web apps:
- SQL Injection
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
It will be explained how each of these technically work, what damage they can cause and how to avoid them in your own applications. The talk concludes with a summary of existing measures to increase application security and explains why none of these is a 100% solution. To keep you on the topic for a while after the talk, a "hacking homework" is presented where a vulnerable local web shop is supposed to be hacked in various ways.

8.
Source: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
„61 percent of malicious
sites are actually
regular websites that
have been compromised
and infected
with malicious code.“

9.
Open Web Application Security Project
Open community
Non-profit organization
Core purpose
Be the thriving global community that drives
visibility and evolution in the safety and security
of the world’s software
https://www.owasp.org
Source: https://www.owasp.org

29.
Add a secret, not automatically submitted,
token to all sensitive requests
This makes it impossible for the attacker to
spoof the request (unless there is an XSS
hole in your application)
Tokens should be cryptographically strong
or random
Make sure your application has no XSS holes
which could be exploited to attack other
applications (or itself)
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx

30.
What shenanigans
might our troll friend
have in mind with any
unwelcome forum
posts he encounters?
[img]http://forum.com/logout.do[/img]